Designing a Communication That Will Not Be Mistaken As a Phishing Message
Putting together a survey invite, newsletter or other communication for the UBC community that does not confuse faculty and staff can be difficult, especially when UBC Cybersecurity is spending time training employees on what to report. However, there are some common items that faculty & staff typically look for in ascertaining whether a message is trustworthy. When taken into consideration while developing communications and survey invites, the following checklist can be used as a guide to increase the success rate of recipients accepting communications as legitimate:
Sender Address
Where is the communication being sent from?
The communication should be distributed from an @ubc.ca email address and should be recognizable as authoritative for the target audience.
A [CAUTION: Non-UBC Email] warning tag will be added to the top of external email messages to remind recipients to verify the authenticity of the email before clicking on any hyperlinks, opening any attachments, forwarding or responding. The tag is not an indicator that an email is phishing, fraudulent or spam.
UBC communicators that utilize third-party email-sending services can request that the External Email Security Warning Tag not be applied to their legitimate notifications.
It is important to note that exemptions will not be provided for entire services or systems. Instead, exemptions are based on the service’s IP address(es), combined with the sending email address(es) used by the service for incoming emails to UBC. To exempt a service, we require a complete list of the email addresses that the service uses to send emails to UBC mailboxes on behalf of the UBC unit.
Branding
Does the communication use UBC Common Look and Feel (CLF)?
Banners and formatting using UBC branding can increase the legitimacy of your communication.
Salutations
Is the communication being sent to a named person?
Wherever possible your communication should be sent to a named individual to personalize the message and increase legitimacy.
Use of Links
Is it necessary to include a link in your communication?
Does your communication instruct recipients to visit a commonly used website or log in to an application they are familiar with to discover more details about the subject of your communication?
Is it possible to provide instructions about where to find the information instead of including a hyperlink?
- “Please log into [ ] and review your notifications.”
- “Visit [title of website] for more information.”
Is it necessary to include a URL in your communication?
If the inclusion of a URL is necessary, in an effort to discourage users from instinctively clicking on links in emails, we encourage staff and faculty to break the URLs in their emails by using hxxp in the prefix instead of HTTP.
When sending mass internal communications, we recommend including the brief disclaimer: “Think before you click - copy and paste the URL into your browser and replace hxxps with https.”
In cases where it is not appropriate to provide a signatory, such as an initiative or program, include the name of the program along with a general email address that is regularly monitored.
Branding
Does the communication use UBC Common Look and Feel (CLF)?
Banners and formatting using UBC branding can increase the legitimacy of your communication.
Crafting a Survey
When designing your survey, you should only request the minimum amount of information required from respondents to provide statistically meaningful data.
You should only request personal information from respondents where it is required to provide validity and/or to strengthen the analysis and results of the survey data.
Never request passwords or passcodes from respondents.